It is appropriate to restrict device file ownership to root, as device files provide relatively unrestricted access to hardware. Examples of places where unrestricted access to hardware is inappropriate:

• Access to /dev/sda (the device file for the hard disk) provides the following:
  • The ability to bypass access controls and auditing.
  • The ability to damage the filesystem.
  • The ability to control the data on the disk, which is parsed in kernel-space for mounting filesystems.
• Access to /dev/dsp (the device file representing a microphone) could provide access to an attacker to overhear (remotely) conversations that occur near the hardware.
• Access to the video device could (in older hardware) permit an attacker to damage the video display. In newer hardware it could conceivably be used to cook the GPU.

There are other reasons to restrict access, but fundamentally access to the hardware is restricted because you value the hardware, because the real world that the hardware provides access to is more valuable than the bits, and because the hardware is often relatively trusted by the kernel.

In some cases systems are configured such that physical access to the machine (e.g. logging into a local console) means you get elevated access to some devices (e.g. CD reader / writer). The NSA document may be arguing against that configuration implicitly.

Device file ownership means exactly the same thing as ownership of any file; the user owner is allowed access via the user permission bits (e.g. -rwx------) and can change the permissions of the file, the group owner via the group permission bits (e.g. ----rwx---), and everyone else via the "others" permission bits (e.g. -------rwx).

You restrict ownership to root so that if a non-root process has been compromised the perpetrator can't access the device file or change its permission bits, thereby reducing the security risk present.